M365

A Simple Guide to Microsoft Defender for Endpoint: Plans and Features

Alan CurtisLeave a comment

What is Microsoft Defender for Endpoint?

It’s surprising how often I speak to businesses about endpoint security, and many still see Microsoft Defender as just a “built-in antivirus” that couldn’t be all that good. But in reality, Microsoft Defender for Endpoint is a feature-packed, enterprise-grade security solution that many organizations already have access to through their Microsoft 365 subscription—often without realizing its full potential.

In this blog, we’ll explore why Defender for Endpoint stands out as more than just antivirus software. We’ll break down its plans, capabilities, and features to give you a better understanding of how this tool can strengthen your organization’s security posture.

A Powerful Security Solution Across Devices

Microsoft Defender for Endpoint works across multiple platforms—Windows, macOS, Linux, Android, and iOS—leveraging advanced technologies like machine learning, behavioural analytics, and cloud intelligence to safeguard your environment from a range of cyber threats.

One standout feature is how Defender integrates with Microsoft Secure Score, offering a clear snapshot of your organization’s security health. Secure Score provides actionable recommendations to help you enhance protection. The higher your score, the more secure your business is.

Microsoft Defender for Endpoint: The Plans

Microsoft Defender for Endpoint comes in two main versions: Plan 1 (P1) and Plan 2 (P2), with a special Defender for Servers option if you’re protecting server infrastructure. If you need even more advanced features, you can also add the Defender Vulnerability Management Add-on.

Which Plans Are Included in Your Microsoft 365 Subscription?

  • Microsoft 365 Business Standard: Doesn’t include any Defender for Endpoint features.
  • Microsoft 365 Business Premium: Comes with Plan 1 (P1), giving you essential protection like antivirus, attack surface reduction, web content filtering, and tamper protection.
  • Microsoft 365 E3: Comes with Plan 1 (P1), giving you essential protection like antivirus, attack surface reduction, web content filtering, and tamper protection.
  • Microsoft 365 E5: Offers the full package with Plan 2 (P2), which includes advanced capabilities like Endpoint Detection and Response, Threat and Vulnerability Management, and automated investigation and remediation.

1. Plan 1 (P1)

P1 is the essential package and perfect if you’re looking for strong, reliable security. Here’s what you get:

  • Next-Generation Protection: Built-in antivirus and anti-malware tools to protect you from new and known threats.
  • Tamper Protection: Stops anyone from messing with your security settings, so key protections stay on.
  • Attack Surface Reduction (ASR): Limits what apps, scripts, and macros can do, cutting down on risk from things like ransomware.
  • Web Content Filtering: Blocks unsafe websites to reduce the chance of malware or phishing.

Tamper Protection: Why ITamper Protection: Why It Matters

One of the most valuable features of Microsoft Defender for Endpoint is Tamper Protection. It makes sure that critical security settings—like real-time antivirus scanning and cloud-delivered protection—can’t be changed by unauthorized users or malware.

Key benefits of Tamper Protection:

  • Consistent Security: Keeps your security settings locked down, so they can’t be accidentally or maliciously altered.
  • Stops Attacks from Disabling Protections: Protects against malware that tries to switch off your defenses like antivirus or firewalls.
  • Peace of Mind: With Tamper Protection, you can rest easy knowing that your security setup stays as it should, with no surprises.

For example, if ransomware tries to disable your antivirus so malware can run, Tamper Protection steps in and blocks these changes, keeping your systems safe from potentially serious attacks.

https://learn.microsoft.com/en-gb/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#requirements-for-managing-tamper-protection-in-the-microsoft-365-defender-portal

2. Plan 2 (P2)

Plan 2 takes things up a notch, adding advanced tools for those who need extra protection:

  • Endpoint Detection and Response (EDR): Real-time threat detection, investigations, and quick response to incidents.
  • Device Isolation: Remotely isolate infected devices to prevent malware from spreading across the network.
  • Automated Investigation and Remediation: Defender uses AI to investigate alerts and fix problems without needing manual intervention.
  • Device Grouping & High-Priority Devices: Organize your devices for better management, and mark key devices (like exec laptops) as high priority to get faster responses to alerts.
  • Threat and Vulnerability Management (TVM): Continuously scan for vulnerabilities and get recommendations for fixes, all tied into your Secure Score.

Defender for Servers: Protecting Your Server Environment

In addition to protecting personal devices like laptops and mobile phones, Microsoft Defender for Servers is specifically designed to secure your Windows and Linux servers. Servers often hold critical data, so it’s essential to keep them protected.

There are two plans for servers:

Defender for Servers Plan 1

Plan 1 offers solid protection for your servers with features like:

  • Next-Generation Protection: Antivirus and anti-malware for detecting malicious activity.
  • Attack Surface Reduction (ASR): Helps minimize attack opportunities by controlling risky behaviours.
  • Integration with Azure Security Centre: Get a central dashboard to manage and secure your servers.

Defender for Servers Plan 2

Plan 2 takes things to the next level, giving you advanced tools like:

  • Endpoint Detection and Response (EDR): Get real-time visibility and quickly respond to incidents on your servers.
  • Threat and Vulnerability Management (TVM): Scan your servers for vulnerabilities and get actionable steps to fix them.
  • File Integrity Monitoring (FIM): Track any unauthorized changes to critical system files.
  • Just-in-Time (JIT) VM Access: Reduce the time window for accessing VMs, limiting the chance of unauthorized access.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers-select-plan

Defender Vulnerability Management: Plans and Capabilities

Microsoft Defender for Endpoint also provides robust Vulnerability Management capabilities through the Defender Vulnerability Management Add-on. It ensures continuous detection and mitigation of vulnerabilities in your devices and servers. Here’s a breakdown of what each plan offers:

CapabilityDefender for Endpoint Plan 2 (Core TVM Features)Defender Vulnerability Management Add-on (Premium)Defender Vulnerability Management Standalone (for any EDR)
Device discovery
Device inventory
Vulnerability assessment
Configuration assessment
Risk-based prioritization
Remediation tracking
Continuous monitoring
Software inventory
Software usage insights
Security baselines assessment
Block vulnerable applications
Browser extensions assessment
Digital certificate assessment
Network share analysis
Hardware and firmware assessment
Authenticated scan for Windows

https://learn.microsoft.com/en-us/defender-vulnerability-management/defender-vulnerability-management-capabilities

https://learn.microsoft.com/en-us/defender-vulnerability-management/tvm-browser-extensions

Why Many Customers Aren’t Fully Using Microsoft Defender for Endpoint

Despite Microsoft Defender for Endpoint consistently being recognized as a leader in the Gartner Magic Quadrant for the past five years, I’ve found that many customers don’t take full advantage of all the features it offers.

Microsoft Defender for Endpoint does so much more than just act as an antivirus. It’s packed with powerful tools like real-time threat detection, automated remediation, and vulnerability management. Despite all this, a lot of organizations still treat it as basic antivirus protection and miss out on everything it offers.

By leveraging all the features mentioned in this blog, businesses can take their security to the next level. Whether it’s better organizing devices, securing your network, or monitoring threats in real time, using these tools helps create a solid, proactive security strategy. That’s what makes Defender for Endpoint a true game-changer for companies today

https://www.microsoft.com/en-us/security/blog/2024/09/25/microsoft-is-named-a-leader-in-the-2024-gartner-magic-quadrant-for-endpoint-protection-platforms/

Key Features Across All Plans

Here’s a closer look at some of the top features available across the different Defender for Endpoint plans:

1. Attack Surface Reduction (ASR)

ASR helps reduce the number of ways attackers can get into your system by controlling how apps, scripts, and macros interact. This is particularly useful for stopping things like ransomware or fileless malware attacks before they can do damage.

https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference

2. Device Isolation

If you spot a compromised device, Device Isolation allows you to cut it off from the network remotely to stop any malware from spreading. This is a game-changer in the event of an attack.

Use Case: Let’s say a laptop starts acting strangely and showing signs of a ransomware attack. You can isolate it immediately, stopping the attack in its tracks while your team investigates.

3. Tamper Protection

Tamper Protection prevents unauthorized changes to key security settings, keeping your protections intact. This feature blocks both malware and unauthorized users from disabling critical protections like real-time antivirus, ensuring your defences stay in place.

Benefits:

  • Stops attackers from turning off security settings like antivirus or firewall protection.
  • Ensures consistent protection by preventing accidental or malicious changes.
  • Peace of mind knowing that your security settings are locked down.

Use Case: For example, if ransomware tries to disable antivirus protections, Tamper Protection steps in to block these changes, keeping your devices safe

4. Device Grouping

Grouping devices makes it easy to manage your security. You can organize devices by department, risk level, or role and apply specific policies to each group.

Use Case: You can group all devices in the finance department under stricter security policies since they handle sensitive financial data, while leaving general office devices under standard security measures.

5. Marking Devices as High Priority

This feature is super handy for ensuring that critical devices get the attention they need. Marking a device as high priority means it gets monitored more closely, and any security alerts for that device are flagged for faster responses.

Use Case: Marking the CEO’s laptop or key company servers as high priority means any security incidents related to those devices will be treated with extra urgency.

5. Threat and Vulnerability Management (TVM)

TVM is always on the lookout for vulnerabilities on your devices and servers. It ranks them based on how risky they are and gives you recommendations for how to fix them, all while helping you improve your Secure Score.

Final Thoughts

Microsoft Defender for Endpoint is a lot more than just antivirus software—it’s a full security platform that helps you stay on top of cyber threats. Whether you’re securing laptops, mobile devices, or critical servers, Defender gives you the tools you need to manage and monitor your entire environment.

With advanced features like Device Isolation, Threat and Vulnerability Management, and Attack Surface Reduction, Defender for Endpoint helps you take a proactive approach to security, ensuring your organization stays protected from modern cyber threats.

Microsoft Entra ID Free, P1, and P2: What’s the Difference and Which One Do You Need?

Alan CurtisLeave a comment

If you’re diving into Microsoft Entra ID (formerly Azure AD), you’ve likely come across its different licensing tiers: Free, Premium P1, and Premium P2. With various options, it can be tricky to know which one is best suited for your organization. Let’s break it down, exploring what each version offers, the differences, and why you might choose one over the other.

Entra ID Free: The Basics

Entra ID Free is a great starting point for small businesses or organizations with simpler needs. This tier offers the essential tools for managing identities and access without any cost.

What You Get with Entra ID Free:

  • User and group management: Manage who’s in your organization and assign them to specific groups.
  • Single Sign-On (SSO): Users sign in once and gain access to multiple Microsoft services (like Office 365) and supported third-party apps.
  • Basic Multi-Factor Authentication (MFA): Add an extra layer of security by requiring users to authenticate using a second factor (e.g., phone, app, or biometric).
  • Self-Service Password Reset (for cloud users): Let cloud users reset their passwords on their own, freeing up IT resources.
  • Device registration: Users can register their devices to access corporate resources more securely.
  • Security Reporting: Get insights into risky sign-ins and suspicious activity to detect potential threats.
  • Azure AD Join: Users can connect their Windows devices to Azure AD for centralized management.
  • Azure AD Connect: This free tool allows you to sync on-premises Active Directory with Azure AD, enabling a hybrid identity environment. Basic sync, such as syncing users and passwords, is available with the Free tier.
  • Global Blocked Password List: Microsoft maintains a list of weak passwords that are automatically blocked.

Why Entra ID Free is Great:

  • It’s free: Perfect for small businesses that don’t need advanced features.
  • Core functionality: Provides essential security tools like SSO, MFA, and Azure AD Connect to enable basic hybrid identity management.

Included with Microsoft 365 Plans:

  • Business Standard: Entra ID Free is included, giving you basic identity management but lacking the advanced features of the Premium tiers.

Entra ID Premium P1: Stepping Up Your Security Game

As your business grows and your security needs become more complex, Entra ID Premium P1 offers the advanced tools you’ll need. P1 includes everything from the Free tier, but with additional security features like Conditional Access and dynamic groups, giving you better control over who accesses what, and from where.

What You Get with Entra ID P1:

  • All Free Tier Features: Everything from the Free plan, plus more.
  • Conditional Access: This is a key feature. You can set up policies that grant or block access based on certain conditions—like location, device, or user status. For example, if someone logs in from an unfamiliar device or risky location, Conditional Access can prompt for additional authentication or block access.
  • Self-Service Password Reset (for On-Premises Users): Users with on-premises accounts can reset their passwords without IT’s help.
  • Dynamic Groups: Automatically adjust group memberships based on user attributes (like department or location).
  • Azure AD Connect: This tool remains free with Entra ID Premium P1. However, advanced features like password writeback (allowing users to reset their passwords in the cloud and have changes reflected on-premises) require a P1 license.
  • Custom Blocked Password Lists: You can create a custom list of banned passwords (in addition to the global one) to prevent users from choosing weak or predictable passwords.

Why P1 Might Be Right for You:

  • More control: Conditional Access gives you the flexibility to secure access based on various conditions like location or device type, ensuring stronger security without compromising usability.
  • Hybrid identity with advanced sync features: While Azure AD Connect is free for syncing users and groups, features like password writeback or group writeback are only available with Premium P1, making it a must-have for hybrid identity management.
  • Custom password protection: P1 allows you to enhance password security by blocking weak passwords tailored to your organization’s needs.

Included with Microsoft 365 Plans:

  • Microsoft 365 E3: Comes with Entra ID Premium P1, providing access to advanced security features like Conditional Access, dynamic groups, and custom blocked password lists.
  • Microsoft 365 Business Premium: Also includes Entra ID Premium P1, offering small to medium-sized businesses access to advanced security without the higher costs of an E3 or E5 plan.

Why Conditional Access with MFA is a Big Improvement Over Basic MFA

Multi-Factor Authentication (MFA) is already a great way to enhance your organization’s security by requiring users to provide a second form of identification beyond just a password. But Conditional Access with MFA takes this protection to a whole new level.

1. Contextual Security Based on Real-Time Conditions

Basic MFA prompts users for an additional authentication step. That’s great for security, but it can get annoying for employees who are always logging in from trusted locations and devices. Conditional Access with MFA, on the other hand, only triggers MFA when it’s necessary.

  • For example, if someone is logging in from a known device and a trusted location, they may not be prompted for MFA. But if the same user suddenly tries to access resources from a new country or an untrusted device, MFA can be enforced.

This context-aware approach makes your security more intelligent and reduces the friction for users, only stepping in when there’s a real need to verify their identity.

2. Protects Against More Sophisticated Attacks

Basic MFA protects against common attacks like phishing or credential stuffing, where attackers might steal usernames and passwords. But cybercriminals are getting smarter. They may try to bypass MFA using tactics like man-in-the-middle (MITM) attacks, where they intercept communication between the user and authentication system, or they might try to access your resources from trusted networks to avoid detection.

Conditional Access lets you enforce stricter security policies based on real-time risk factors. For example:

  • If a user’s credentials have been flagged as compromised or they’re attempting to sign in from a high-risk country, Conditional Access can either block access outright or require additional verification.
  • Risk-based Conditional Access (available with Entra ID Premium P2) even analyses things like impossible travel (logging in from two distant locations within minutes) and adapts security policies automatically.

3. Granular Access Control

Conditional Access lets you set precise policies based on factors like:

  • Location: You can block or require MFA for logins from specific locations (like certain countries or unknown IP addresses).
  • Device: You can allow or deny access depending on whether the device is registered, compliant, or up to date.
  • Applications: For especially sensitive apps (like financial systems or data management tools), you can enforce more stringent Conditional Access rules, like always requiring MFA.

With basic MFA, you’re asking for that second factor of authentication every time. With Conditional Access, you can fine-tune these rules to give you greater control over how users access different parts of your system.

Entra ID Premium P2: Top-Tier Security for Big Organizations

If your organization handles highly sensitive data or operates in a heavily regulated industry, Entra ID Premium P2 is your best bet. P2 adds even more advanced security and identity governance features to give you peace of mind.

What You Get with Entra ID P2:

  • All P1 Tier Features: Everything from P1, plus more advanced tools.
  • Identity Protection: Automatically detects and mitigates identity-based risks, such as compromised credentials or risky sign-ins.
  • Privileged Identity Management (PIM): Control and monitor access to sensitive roles. You can assign admin privileges temporarily, only when necessary, reducing the risk of unnecessary access.
  • Risk-Based Conditional Access: This takes Conditional Access a step further by dynamically responding to the risk level of each login attempt. For example, if a login from an unusual location is detected, it can require additional authentication or block the user altogether.
  • Access Reviews: Regularly review user access to resources to ensure they still need it—helpful for compliance.
  • Just-in-Time Access: Ensure users only get access to critical resources when they absolutely need it, reducing the chance of misuse.
  • Custom and Global Blocked Password Lists: Like P1, you can define custom blocked passwords, while also using Microsoft’s global blocked password list for added protection.

Why P2 is a Must for Larger Organizations:

  • Top-level security: If you deal with sensitive data or need to meet strict compliance standards, P2 offers the most robust security features.
  • Identity governance: P2 helps you stay compliant by ensuring the right people have the right access, and only when they need it.

Included with Microsoft 365 Plans:

  • Microsoft 365 E5: Includes Entra ID Premium P2, offering the full suite of features, including Identity Protection, Privileged Identity Management, and risk-based Conditional Access.

Recommendation: P2 Licenses for Executives and Global Admins

While Entra ID Premium P2 is great for any organization with high-level security needs, I strongly recommend P2 licenses for certain key roles, such as global administrators and executives. Here’s why:

1. High-Risk Accounts Are the Biggest Targets

Executives and global admins often have elevated permissions and access to the most sensitive data and resources in the organization. These high-level accounts are frequent targets for cyberattacks, including phishing and credential theft. P2’s advanced security features—like Privileged Identity Management (PIM) and Risk-Based Conditional Access—help ensure these accounts remain secure even under heightened threat scenarios.

2. Privileged Access Should Be Temporary

Executives and admins often require privileged access, but these permissions don’t need to be active all the time. With Just-in-Time Access, you can grant high-level access temporarily, limiting the risk window for attackers.

3. Proactive Risk Detection and Response

Executives often log in from various locations and devices, which can introduce security risks. With Risk-Based Conditional Access, P2 automatically adjusts access rules based on factors like the user’s behaviour, location, or device security. This ensures that high-value accounts are always protected, even when the risk level changes.

For these reasons, upgrading your key users to Entra ID Premium P2 provides an added layer of protection for your most valuable accounts.

Wrapping It Up

Microsoft Entra ID offers something for everyone, whether you’re a small business needing basic security or a large enterprise looking for advanced identity protection. The key is understanding your organization’s specific needs and matching them to the right Entra ID tier.

For companies looking to tighten security around executives or users with global access, we highly recommend going with Entra ID Premium P2. The advanced features, especially when combined with a Zero Trust approach, give you robust protection without sacrificing usability.